HIPAA Covered Entities and Business Associates: Compliance Requirements and Examples

Definitions of Covered Entities and Business Associates

Covered Entities

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standard transactions. They create, receive, maintain, or transmit Protected Health Information (PHI) and must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule.

Business Associates

A business associate is any person or organization that performs services or functions for a covered entity involving the use or disclosure of PHI. Business associates are directly responsible for safeguarding PHI and complying with applicable Privacy and Security Rule requirements. Subcontractors of business associates that handle PHI are also business associates and inherit these obligations.

Compliance Requirements for Covered Entities

HIPAA Privacy Rule

• Limit uses and disclosures to treatment, payment, and health care operations, or as otherwise permitted or authorized.
• Apply the minimum necessary standard and maintain a current Notice of Privacy Practices.
• Honor individual rights: access, amendments, accounting of disclosures, restrictions, and confidential communications.
• Implement policies, workforce training, and sanctions to consistently protect PHI.

HIPAA Security Rule

The Security Rule requires a documented risk analysis and implementation of safeguards that are reasonable and appropriate to the organization’s risks.

• Administrative Safeguards: risk management, assigned security responsibility, workforce training, security incident procedures, contingency planning, and periodic evaluations.
• Physical Safeguards: facility access controls, workstation security, and device/media controls (including secure disposal).
• Technical Safeguards: access controls (unique IDs, MFA where feasible), audit controls, integrity protections, person/entity authentication, and transmission security (robust encryption in transit and at rest as appropriate).

Breach Notification Rule

• Assess suspected incidents to determine if PHI was compromised; document the risk assessment and decision.
• Provide timely notifications to affected individuals and regulators, and to the media when required; implement corrective actions to prevent recurrence.

Ongoing Governance

• Maintain written policies and procedures, retain documentation for required periods, and conduct regular audits and monitoring.
• Vet vendors, execute a Business Associate Agreement before sharing PHI, and verify downstream protections.

Business Associate Agreements and Key Provisions

Required Elements

• Permitted and required uses/disclosures of PHI, including minimum necessary expectations.
• Obligation to implement Security Rule safeguards and report security incidents and breaches without undue delay.
• Requirement to ensure subcontractors agree to the same restrictions and safeguards.
• Right for the covered entity to terminate for material breach and requirement to return or destroy PHI upon termination.

Operational Provisions That Strengthen Protection

• Incident reporting timelines, audit and assessment rights, and cooperation during investigations.
• Data aggregation, de-identification parameters, and restrictions on marketing, sale of PHI, and fundraising uses.
• Clear allocation of responsibilities for access requests, amendments, and accounting of disclosures when the business associate is involved.

Examples of Business Associates and Subcontractors

Business Associate Examples

• Electronic health record and practice management vendors; e-prescribing networks; health information exchanges.
• Cloud hosting, data backup, email, and secure messaging providers that store or process PHI.
• Billing, coding, claims processing, revenue cycle firms, and third-party administrators for group health plans.
• Analytics, quality improvement, care management, and population health platforms handling PHI.
• Consultants, attorneys, and accountants when services require access to PHI.
• Call centers, transcription, scanning and digitization, records storage, and secure disposal/shredding services.

Subcontractor Examples

• Infrastructure and managed service providers used by a primary vendor to host or process PHI.
• Specialty coding or collections agencies hired by a billing company.
• SMS gateways, email relays, and content delivery networks used by a patient communication platform.

Liability and Penalties for Non-Compliance

Civil and Criminal Penalties

• Civil Money Penalties are tiered based on culpability (from lack of knowledge to willful neglect) and can escalate significantly when violations are repeated or uncorrected.
• Criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of HIPAA, with enhanced penalties for offenses committed under false pretenses or for commercial advantage, personal gain, or malicious harm.

Enforcement and Corrective Action

• Resolution agreements often include multi-year corrective action plans, monitoring, and reporting duties.
• Business associates are directly liable for Security Rule compliance and certain Privacy Rule violations, including impermissible disclosures and failure to provide breach notifications.

Role of Covered Entities Acting as Business Associates

A single organization can be a covered entity in one context and a business associate in another. For example, a hospital that provides centralized billing for independent clinics acts as a business associate for those services, even while remaining a covered entity for its own patients.

• Map roles and data flows: document when you act as a covered entity versus a business associate.
• Use appropriate agreements: Notices of Privacy Practices when acting as a covered entity; Business Associate Agreements when providing services to another entity.
• Segregate systems and staff where feasible to maintain minimum necessary access and reduce conflict-of-interest risks.
• Train the workforce on role-specific obligations and escalation paths.

Updates to Compliance Requirements in 2025

Privacy Rule Focus Areas

• Stronger restrictions on certain uses and disclosures of PHI related to sensitive services (such as reproductive health care), with new attestation and verification steps for specific requests.
• Clarifications around minimum necessary, law enforcement requests, and documentation needed to substantiate disclosures.

Security Rule Expectations

• Demonstrating “recognized security practices” over a sustained period can mitigate enforcement risk; maintain evidence of risk analysis, MFA deployment, encryption, logging, and incident response testing.
• Increased emphasis on vendor due diligence for cloud, telehealth, and messaging platforms that create, receive, maintain, or transmit PHI.

Enforcement Trends and Operations

• Right of Access remains a priority: meet response timelines, standardize identity verification, and monitor fulfillment metrics.
• Annual inflation adjustments increase potential Civil Money Penalties; keep leadership apprised of financial exposure.
• Refresh Business Associate Agreement templates and Notices of Privacy Practices to reflect recent rule changes and organizational practices.

Action Plan for 2025

• Update risk analysis to cover emerging threats and vendor dependencies; align safeguards to current risks.
• Revise policies, workflows, and training to incorporate new disclosure restrictions and documentation requirements.
• Validate incident response, breach assessment criteria, and reporting timelines through tabletop exercises.

Conclusion

HIPAA covered entities and business associates share responsibility for protecting PHI. By grounding programs in the HIPAA Privacy Rule and HIPAA Security Rule, executing strong Business Associate Agreements, and addressing 2025 updates proactively, you reduce risk, strengthen trust, and demonstrate compliance readiness.

FAQs.

What are the main compliance responsibilities of covered entities?

Covered entities must protect PHI under the HIPAA Privacy Rule and HIPAA Security Rule, limit uses and disclosures to permitted purposes, honor individual rights, maintain policies and training, assess and mitigate security risks, and provide timely breach notifications when required.

How do business associate agreements protect PHI?

A Business Associate Agreement contractually binds vendors to safeguard PHI, defines permitted uses and disclosures, mandates Security Rule safeguards, requires incident and breach reporting, and flows down the same obligations to subcontractors—creating clear accountability throughout the data chain.

What penalties apply for HIPAA violations?

Civil and Criminal Penalties range from tiered civil fines based on culpability to criminal sanctions for knowingly obtaining or disclosing PHI unlawfully. Penalties increase with willful neglect, repeated violations, or intent to profit or cause harm, and can include corrective action plans and monitoring.

Can a covered entity also be a business associate?

Yes. An organization can be a covered entity for its own patients or members and a business associate when it provides services involving PHI to another covered entity. It must use the correct agreements, segregate roles where feasible, and train staff on the distinct obligations that apply in each role.